2021: A Year in Data Privacy
For many, 2021 will be a year to forget: COVID-19 lockdowns, travel restrictions, dodgy politicians, and other issues have dominated the headlines. So, we thought we’d move away from all that and look at the privacy news that caught our eye this year.
How ironic it was that in the month that International Privacy Day (28 January) is held, a data leak affected 2.3 million users of a dating application. It’s fair to say that those responsible for MeetMindful should have been more mindful of their users’ privacy.
The EU and the UK signed an interim agreement on data flows post-Brexit, allowing the continued movement of data in both directions unhindered by further controls.
It was also a big month for the slowly progressing ePrivacy Regulation. The 14th draft of the much-needed update to the current directive was published by the Portuguese presidency of the EU Council, who appeared to be providing impetus to the process.
The ICO (Information Commissioner’s Office) set its tone for the year when it announced a renewed investigation into real-time bidding and the AdTech industry. It intended to undertake a series of audits focusing on data management platforms and data broking operations.
It was an interesting start for the man with possibly the toughest job in privacy. Henry Moniz began his role as Facebook’s Chief Privacy Officer in the same month as the embattled platform found itself facing a second-class lawsuit in London and a €7 million (about £6 million) fine issued by the Italian regulator.
Social media platform TikTok came under media scrutiny as the European Consumer Organisation, the Bureau Européen des Unions de Consommateurs, submitted a privacy complaint to the European Commission regarding alleged children’s privacy violations. It claimed TikTok’s processing was “misleading” and “does not clearly inform its users […] about what personal data is collected, for what purpose and for what legal reason”. Consumer organisations in 15 countries also urged authorities to investigate the platform.
Mozilla, on the other hand, provided more positive news when it announced it was integrating “total Cookie Protection” into its browser software, giving uses the default option of cookie-less browsing. This signalled a trend across the year of Internet software providers introducing increased privacy protection.
Following the Schrems II case in 2020, Max Schrems’s “Facebook & Explicit Consent Case” reached the Austrian Supreme Court for its appeal hearing (and would be later referred to the European Court of Justice) again. The case highlighted the importance of using the correct legal basis for processing and transparency around consent.
What appeared to be a case of privacy bureaucrat infighting erupted after European MPs called out that “a lack of political will and resources” had resulted in a laggard approach to enforcement of the EU’s GDPR (General Data Protection Regulation), singling out the lack of sanctions dished out by the Irish DPC (Data Protection Commission). Back in the UK, the hunt started for Elizabeth Denham’s successor for the Information Commissioner role.
Vodafone’s activities in Spain came into focus as the organisation incurred an €8 million (about £6.83 million) fine for a variety of personal data privacy failures, which appeared to amount to a considerable lack of record keeping and an inability to demonstrate consent for data used for marketing. The ruling was important as it made clear the importance of organisations being able to demonstrate GDPR compliance.
Another month and yet another Facebook privacy issue when it emerged that a user in a hacking forum had published the personal data of more than 530 million Facebook users for free. This prompted the platform to reveal that this had been the result of data breach back in 2019, which it had already addressed. An EU mass action lawsuit followed.
Google also got on the wrong end of regulators after France’s Data Protection Authority, the CNIL, received a complaint from Schrems and his noyb organisation regarding the use of unconsented tracking technology embedded in the Android operating system. The case highlighted the growing calls for controls on tracking by the Internet giants such as Google – a theme that ran throughout the year.
Apple provided a counterpoint with the launch of its App Tracking Transparency Framework, bringing real control back to users at the expense of considerable adverting revenues for its app publishers.
Google made the news again when it announced that its advertisers would be able to “gain insights in Google Analytics and other measurement products without the use of third-party cookies and identifiers”, continuing to follow the move away from cookie-based solutions into what appear to be more privacy-sensitive approaches. While still problematic, it was a step in the right direction.
Meanwhile, the ICO clearly helped demonstrate that even big organisations can get it wrong when it comes to privacy when it fined American Express Services Europe £90,000 for sending more than 4 million nuisance emails, including to some who had “opted out”. This served as a warning to organisations using third-party marketing services to ensure that they meet the standards required under the law.
Doubts were cast over the success of the impending EU–UK adequacy decisions after the influential EU LIBE committee expressed significant concerns about the state of privacy controls in the UK and data flows to the US – all somewhat confusing as the UK’s practices hadn’t changed from the time it was a fully paid-up member of the EU.
Summer arrived and with it the good news that sense had prevailed and the EU–UK adequacy agreement had been ratified.
Apple continued to recognise the power of privacy when it announced more privacy tools for the upcoming iOS 15, but the writing was on the wall for the NHS patient data-sharing programme when it was deferred to September in response to privacy concerns regarding the release of medical data to third parties.
IKEA, everyone’s favourite flat-pack merchant, found out what could go wrong when it received a hefty €1 million (about £853,000) fine from the CNIL after it was found to have been unlawfully processing the data of its employees. The case was notable as the former IKEA France Chief Executive was handed a personal €50,000 (about £43,000) fine and a two-year suspended prison sentence for his involvement. Senior execs beware…
July kicked off with the continuing saga of Facebook and WhatsApp as the European Data Protection Board overturned a request to ban data sharing between the two platforms, but then requested that the Irish DPC (yes, that same one that in March was called out for being too lenient) investigate further. To be continued…
Meanwhile, Facebook continued to address privacy in its own unique way when it asked developers to complete a questionnaire about how they protect and use platform data. Time to shut the stable door.
July also saw British Airways finally settle a legal claim by some of the 420,000 people affected by its major 2018 data breach. Having had its ICO fine considerably reduced from the initial £183 million to £20 million, this final settlement – which remains confidential – drew a line under the sorry saga.
The month ended with an astounding €746 million (about £737 million) GDPR fine levied on Amazon in response to a 2018 complaint by a French privacy rights group. The complaint, filed on behalf of more than 10,000 customers, alleged that the online retail giant was selectively targeting advertising and information without a suitable legitimate basis. Unsurprisingly Amazon wasn’t having any of it, considered the fine baseless and stomped off to “defend itself vigorously”.
As summer slipped by almost untroubled by warm weather, Brussels bureaucrats were getting hot under the collar about the UK adequacy agreement after UK politicos hinted that a little flexibility in our approach might be a good thing. Brussels is still watching closely and poised to rip it all up should a “case of justified urgency” arrive.
When the most populous nation on Earth, China, does privacy it should be big news – and it was. The PIPL (Personal Information Privacy Law) was ratified, combining many of the requirements of a GDPR-like approach with more draconian measures (like the mandatory storing of the data of Chinese citizens in China) – adding to the increasingly complex burden of extra-territorial privacy laws that multinationals have to deal with.
T-Mobile provided the inevitable breach news when it announced that a hack exposed the details of more than 40 million customers. Phone numbers, account numbers, passwords and financial information were all available. The attacker took the unusual step of announcing that it had been done in retaliation for his alleged kidnapping and torture by the US. It appears that he then sold the hacked data, thus destroying any vestige of sympathy he may have received for his initial claim.
In less interesting but more practical news, the ICO announced that it had approved the first three GDPR certification schemes, which was nice.
A new month and a new UK Information Commissioner was revealed. John Edwards, fresh from his role as New Zealand’s privacy commissioner, would be taking over the reins from the outgoing Elizabeth Denham in November.
The ICO also made the news when the Children’s code came into effect. It was designed to ensure that online services respect children’s rights and freedoms when using children’s data. The groundbreaking code appears to have been a worldwide hit, with other countries, notably the US, calling for voluntary adoption by media platforms before further regulation.
In proof that the consequences of Schrems II continue, September closed out with the requirement that new data transfer agreements under the EU GDPR use the modernised sets of SCCs (standard contractual clauses) approved by the European Commission when required.
It wasn’t such a good month for Apple as it rushed to issue emergency software patches to close a vulnerability that allowed spyware to infect iPhones, iPads, Apple Watches and Macs anywhere. The zero-click remote exploit, produced by Israeli organisation NSO Group and known as Pegasus, could have been used by governments everywhere for mass surveillance. The vulnerability had been in place for at least six months before detection. Rotten Apples indeed.
A busy privacy month started with a data breach featuring millions of documents that revealed the offshore assets and deals of more than 100 billionaires, 30 world leaders and 300 public officials. Known as the Pandora Papers, the leaked documents unsurprisingly gained attention for their content rather than any sympathy for the privacy impact on the individuals concerned. Where it may have an impact is on the financial institutions from where these sensitive records leaked, and for which there may be contractual and credibility issues as a result.
The ongoing challenge to social media platforms’ use of data continued unabated. The Irish DPC decided to fine Facebook up to €36 million (about £30.7 million) for failures of transparency in its privacy policies; however, it also decided that it was OK for Facebook to process individuals’ data for many of its less obvious purposes under the basis of contractual obligation rather than consent. Schrems and noyb took exception, and some other data protection authorities didn’t agree with it either.
Meanwhile, Twitter’s €450,000 (about £383,000) fine was confirmed in the Irish courts. The fine related to the delayed notification – beyond of the mandated 72-hour reporting window – of a 2019 data breach that exposed the details of Android Twitter users who had changed their email addresses.
It came as no shock that Amazon appealed its record €765 million (about £652 million) fine issued earlier in the year, claiming it collects its vast amount of user data “to improve customer experiences and journeys”. The case rumbles on.
Alphabet’s Google and sister company DeepMind faced legal action for the way they had obtained and processed more than a million patient health records without consent in the UK. Law firm Mishcon de Reya filed a claim with the High Court on behalf of approximately 1.6 million other individuals whose medical records were obtained by DeepMind to develop a patient monitoring app called Streams. The ICO had ruled back in 2017 that the data-sharing agreement between DeepMind and the NHS had failed to comply with data protection law.
November was another busy month for privacy regulators across Europe and had a distinctly biometric theme.
It both started and ended with Clearview AI in the firing line for its use of biometrics for facial recognition. The joint investigation by the ICO and the Australian OAIC into the organisation’s practices concluded early in November, with the ICO proposing a £17 million fine for the alleged misuse of scraped images and biometric data.
noyb issued a formal complaint against adult dating app Grindr for reportedly demanding biometric and other identifiers from anyone wanting to undertake a data subject access request.
Grindr allegedly requires data subjects to provide excessive data for identity verification, including photographs of themselves holding their passport and a paper with their email address. Registration and use of the app itself only requires limited data such as email and date of birth, so the requested verification data has the potential to provide a greater means of identification than originally provided by the user.
Clothing app Vinted came under fire as a joint investigation into the Lithuanian-based platform was launched by European regulators following complaints that identity card scans were required to free-up users’ account funds. The regulators will be examining the proportionality of this request in what could turn out to be a further example of excessive data processing.
The rumble between regulators and social media platforms continued into November with WhatsApp surprising no one when it appealed the €225 million (about £192 million) fine issued by the Irish DPC in August, claiming the fine to be unconstitutional and incompatible with the European Convention on Human Rights. The outcome is yet to be decided.
Elizabeth Denham left her role as UK Information Commissioner by outlining new data standards for organisations developing Internet advertising solutions. She stated that the ICO “will not accept proposals based on underlying AdTech concepts that replicate or seek to maintain the status quo”. She also voiced her concerns regarding any future post-Brexit UK data protection reforms, stating that any regulatory reform “must keep people, and people’s trust, at its centre”.
Denham’s departing messages fell on seemingly deaf ears with her European colleagues as the European Parliament signed off the Digital Services Act, having watered down the proposed blanket ban on targeted advertising. This no doubt brought some relief to the beleaguered Interactive Advertising Bureau, which is still awaiting the outcome of the investigation into the Transparency & Consent Framework by the Belgian Data Protection Authority – a decision that may yet have big ramifications for the AdTech industry.
The Digital Services Act did at least formally acknowledge that “Dark Patterns” when gaining consent are a bad thing (if the GDPR consent rules hadn’t already made that abundantly clear enough).
The Irish DPC made the news again for its draft decision in an inquiry into Instagram. The 14-month investigation looked at the processing of children’s data by Facebook in relation to Instagram. The findings have been passed to other concerned regulators for their “reasoned objections” and should be finalised early in the new year.
In a move sure to weaken European trust in UK data protection further, the US and UK committed to “deepening the UK-U.S. data partnership to realize a more peaceful and prosperous future by promoting the trustworthy use and exchange of data across borders”. The joint statement also confirmed that both parties “seek to shape a global data ecosystem in a manner that promotes and advances interoperability between different data protection frameworks, facilitating cross-border data flows while maintaining high standards of data protection and trust. We are committed to open and inclusive engagement with international partners, industry, civil society, and consumer and privacy rights groups.”
We look forward to following that dialogue with interest.
The ever-changing world of privacy regulation looks set to continue unabated in 2022, and will continue to be an evolving challenge for governments and organisations alike to manage. With that thought in mind, we would like to wish all our readers a very merry Christmas and a privacy-problem-free new year.